CVE-2019-19026: SQL Injection via project quotas in VMware Harbor Container Registry for Pivotal Platform
23858
04 December 2019
04 December 2019
CLOSED
HIGH
CVE-2019-19026
Severity
High
Vendor
Pivotal
Description
VMware Harbor Container Registry for Pivotal Platform, versions prior to 1.8.6 and 1.9.3, are vulnerable to a SQL injection vulnerability in the quotas section of the Harbor API. An authenticated administrator can send a specially crafted SQL payload through the GET parameter sort, allowing the extraction of sensitive information from the database.Affected VMware Products and Versions
Severity is high unless otherwise noted.
- VMware Harbor Container Registry for Pivotal Platform
- 1.8 versions prior to 1.8.6
- 1.9 versions prior to 1.9.3
Mitigation
- VMware Harbor Container Registry for Pivotal Platform
- 1.8.6
- 1.9.3
Credit
This issue was responsibly reported by Cure53.
References
- https://github.com/goharbor/harbor/security/advisories/GHSA-rh89-vvrg-fg64
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19026
History
2019-12-04: Initial vulnerability report published.